Solinify Tech logo - AI and software development company
Compliance Guide

DHA Compliance for Healthcare AI Vendors in UAE

What DHA approval actually means, what is required, how to verify vendors, the documents you need, and a compliance checklist. Everything UAE hospital procurement teams need to know about DHA compliance for healthcare AI.

Chapter 1

What DHA Approval Actually Means

Separating marketing claims from real regulatory compliance.

DHA approval is not a single certificate — it is a combination of regulatory requirements that a healthcare AI vendor must satisfy before their system can legally handle patient data in Dubai. Many vendors claim to be "DHA compliant" when they have simply registered as a technology vendor. Real compliance is much more rigorous.

The Dubai Health Authority oversees healthcare data management under Federal Law No. 45 of 2021 (Personal Data Protection Law) and the DHA Health Data Management Compliance Standards. Healthcare AI vendors must meet both standards.

Key point: DHA facility licensure is required for any company handling patient health data in Dubai. Technology companies without a DHA facility license are operating outside the regulatory framework, regardless of what they claim about compliance.

DHA Compliance Is Not Just One Thing

1

Health Data License

DHA facility license for health data management — mandatory for any vendor handling patient data

2

Data Residency

Patient data stored exclusively on DHA-approved UAE-based servers

3

Security Certification

SOC 2 Type II or equivalent security certification

4

PDPL Compliance

UAE Personal Data Protection Law (Federal Law No. 45 of 2021) compliance

5

Consent Management

Patient consent flows for AI handling enquiries and data processing

6

Audit Trails

Logged access to patient data including all AI interactions

Chapter 2

What Is Required for DHA AI Compliance

Specific requirements healthcare AI vendors must satisfy.

Mandatory

Data Residency

All patient data must be stored on servers physically located in the UAE. Cloud providers must use DHA-approved data centers (AWS UAE, Azure UAE, or equivalent).

Mandatory

Encryption Standards

AES-256 encryption at rest. TLS 1.3 for data in transit. Keys managed separately from data with DHA-approved key management services.

Mandatory

Access Controls

Role-based access control (RBAC) with principle of least privilege. Multi-factor authentication for all data access. Regular access reviews.

Mandatory

Audit Logging

Every access to patient records must be logged with timestamp, user identity, and action type. Logs retained for minimum 7 years. AI interactions included.

Mandatory

Consent Management

Patients must explicitly consent to AI handling their enquiries. Consent in Arabic and English. Consent revocation must be honored immediately.

Mandatory

AI Transparency

AI decision logic must be explainable to DHA upon request. Cannot use black-box models for decisions affecting patient care without human review.

Mandatory

Incident Response

Data breach notification to DHA within 24 hours of discovery. Incident response plan documented and tested. Post-incident review process.

Mandatory

Staff Training

All staff with access to patient data must complete DHA-approved data protection training. Records maintained and available for audit.

Mandatory

Business Continuity

Disaster recovery plan with RTO (Recovery Time Objective) and RPO (Recovery Point Objective) defined. Annual testing of backup and restore.

Chapter 3

How to Verify a Healthcare AI Vendor

Due diligence checklist for evaluating AI vendors for DHA compliance.

Documents to Request

1

DHA Facility License

Check the license number on DHA portal

2

Data Processing Agreement Template

Must specify UAE data residency

3

SOC 2 Type II Certificate

Dated within last 12 months

4

Security Policies Document

Access controls, incident response, encryption

5

AI Consent Flow Samples

In both Arabic and English

6

Audit Log Documentation

Sample showing logged access events

7

Staff Training Records

Sample staff data protection training

8

Incident Response Plan

Tested and documented

Verification Steps

1

Verify License

Check DHA facility license number at dubaihealth.gov.ae or request DHA confirmation letter

2

Cross-Check Certifications

Contact the certification body directly to verify SOC 2 Type II certificate validity

3

Test Data Residency

Ask vendor to show server location in their infrastructure documentation or cloud console

4

Review DPA Language

Ensure UAE data residency clause is explicitly stated, not buried in terms

5

Request Reference Hospital

Ask for a reference UAE hospital willing to confirm their experience with the vendor

6

Audit Log Demo

Request live demo showing how audit logs capture AI interactions with patient data

7

Arabic Consent Test

Test the Arabic consent flow yourself to verify it is functional, not just translated

Chapter 4

Solinify Pulse DHA Compliance Specifics

How Pulse addresses each DHA compliance requirement.

Our DHA Facility License

Solinify holds a DHA facility license for health data management services (License No. DHA-HDS-XXXXX). This license is the foundational requirement for legally handling patient data in Dubai and is available for verification upon request or through DHA portal.

Verified DHA facility license — available for cross-check

UAE Data Residency

Patient data stored exclusively on AWS UAE (me-south-1) and Azure UAE North regions — both DHA-approved cloud regions

Encryption (At Rest)

AES-256 encryption for all stored patient data. Encryption keys managed separately via AWS KMS/Azure Key Vault

Encryption (In Transit)

TLS 1.3 for all data transmission. Certificate pinning implemented for mobile API connections

Access Controls

Role-based access with Azure AD integration. MFA required for all data access. Quarterly access reviews conducted

Audit Logging

All data access events logged with timestamp, user identity, action type, and data touched. Logs retained 7+ years

Arabic Consent

Patient consent flows available in Modern Standard Arabic and Gulf Arabic dialect. Reversible consent supported

AI Transparency

Every AI response linked to decision logic. Human escalation protocols documented. No black-box clinical decisions

Incident Response

24-hour breach notification protocol. Incident response plan tested annually. DHA reporting process documented

Chapter 5

DHA Compliance Checklist for AI Vendors

Use this checklist when evaluating any healthcare AI vendor in UAE.

1

DHA facility license number verified

2

UAE data residency confirmed in writing

3

SOC 2 Type II certificate (current)

4

PDPL-compliant data processing agreement

5

Arabic + English consent flows tested

6

Role-based access controls implemented

7

Multi-factor authentication for data access

8

Audit log system operational and demoed

9

Incident response plan documented

10

24-hour breach notification process defined

11

AI decision logic transparency available

12

Human escalation protocols documented

13

Staff data protection training records

14

Disaster recovery plan tested

15

Business continuity plan in place

16

Reference hospital in UAE available

Chapter 6

Frequently Asked Questions

DHA compliance questions specific to healthcare AI vendors in UAE.

Ready to Verify Our DHA Compliance?

We will provide our full DHA compliance documentation package, reference a UAE hospital, and run a free proof of concept — so you can verify our compliance yourself.

View Pulse DHA DocumentationBook a Compliance Review Call

Full documentation package provided. No commitment required.